Book a demo
Draft — pending legal review
Legal

Security

Last updated: 2026-05-16

This page summarizes the administrative, physical, and technical safeguards Ayureon, Inc. applies to protect Protected Health Information (PHI) and electronic PHI (ePHI) handled by the Ayureon platform. It is grounded in the HIPAA Privacy Rule (45 CFR Part 160 and 164, Subparts A and E) and the HIPAA Security Rule (45 CFR Part 164, Subparts A and C).

Scope

This policy applies to all workforce members, contractors, business associates, and AI systems that create, receive, maintain, or transmit PHI on behalf of Ayureon, Inc.

Minimum Necessary Standard

Access to PHI is limited to the minimum necessary to accomplish the intended purpose:

  • Role-based access controls define PHI access per role (clinical, engineering, operations, AI systems).
  • AI systems that access PHI operate under audit-logged, scoped permissions; agents that do not require PHI operate on de-identified or non-PHI data.
  • Query-level enforcement ensures API requests scope PHI access to the specific patient and data elements needed.

Patient Rights

Patients have the following rights under HIPAA, communicated through the Notice of Privacy Practices:

  • Right to Access: response within 30 days; delivery through the patient portal or secure email.
  • Right to Amend: response within 60 days, with written explanation.
  • Right to Accounting of Disclosures: 6-year disclosure log retained (excluding TPO disclosures).
  • Right to Request Restrictions: self-pay restriction requests honored per HITECH.
  • Right to Confidential Communications: alternative contact methods supported on request.
  • Right to Revoke Authorization: prospective only.

Uses and Disclosures

Permitted Without Authorization (TPO)

  • Treatment: provider-to-provider exchange, care coordination via FHIR and connected networks.
  • Payment: billing, claims, eligibility verification, payment processing through our payment partners.
  • Operations: quality improvement, compliance audits, training, security assessments.

Requiring Written Authorization

  • Marketing communications beyond treatment-related outreach.
  • Sale of PHI (prohibited).
  • Research uses (unless IRB waiver applies).
  • Psychotherapy notes.
  • Genetic information disclosures.

Required Disclosures

  • To the individual upon request.
  • To HHS Office for Civil Rights for compliance investigations.

Administrative Safeguards

  • Risk Analysis: comprehensive risk analysis annually and upon significant system changes.
  • Risk Management Plan: documented measures to reduce identified risks.
  • Sanctions Policy: disciplinary action up to termination for workforce policy violations.
  • Information System Activity Review: regular review of audit logs, access reports, and security incident tracking.
  • Workforce Training: annual HIPAA training for all workforce members; new-hire training within 30 days.
  • Contingency Plan: data backup, disaster recovery, and emergency-mode operations procedures.

Technical Safeguards

  • Access Controls: unique user identification, emergency access procedures, automatic logoff, and encryption.
  • Audit Controls: ePHI access recorded and examined; logs retained per HIPAA requirements.
  • Integrity Controls: mechanisms to authenticate ePHI and protect against improper alteration or destruction.
  • Transmission Security: TLS 1.2+ for all data in transit; end-to-end encryption for synchronous patient-provider video where applicable.

Physical Safeguards

  • Facility Access Controls: badge access, visitor logs, restricted entry for sensitive operating spaces operated by Ayureon, Inc. partners.
  • Workstation Security: screen-lock policies and prohibition on PHI display in public areas.
  • Device and Media Controls: encryption at rest (AES-256) for databases and object storage; secure disposal of hardware containing ePHI.

Business Associate Management

  • Ayureon, Inc. maintains a current BAA inventory across all vendors handling PHI.
  • BAAs are executed before any vendor accesses PHI.
  • Annual review of BA compliance is performed.
  • Non-compliant business associates are notified and given a defined cure period before termination.

Breach Response

See the Incident Response & Breach Notification Plan for detailed procedures. Summary:

  • Individual notification within 60 days of discovery.
  • HHS OCR notification (within 60 days if 500+ individuals; otherwise annual log submission).
  • State Attorney General notification per applicable state law.
  • FTC Health Breach Notification for non-HIPAA-covered PHR breaches where applicable.

Reporting a Security Concern

If you believe you have discovered a security vulnerability or PHI exposure related to an Ayureon, Inc. service, contact security@ayureon.com. Responsible disclosure is appreciated; please do not access data beyond what is necessary to demonstrate the issue.

Policy Review

This policy is reviewed annually or upon significant regulatory or operational changes.

source: Notion HIPAA Privacy & Security Policies (Legal & Compliance Hub)